Massachusetts Can Sue Equifax Over Data Breach, Judge Rules

Massachusetts can move forward with a lawsuit accusing credit reporting firm Equifax Inc. of failing to safeguard its databases or provide prompt notice of a breach that exposed the personal data of 147 million people, a state court judge has ruled.

Suffolk County Superior Court Judge Kenneth Salinger in Boston, in a decision made public on Wednesday, denied a motion by Equifax to dismiss a lawsuit Massachusetts Attorney General Maura Healey filed after the breach was disclosed in September.

Salinger wrote that the lawsuit stated a plausible claim that Equifax breached its legal duties to address all reasonably foreseeable risks to its data security and to implement reasonably up-to-date fixes to its software.

The lawsuit alleged that Equifax knew or should have known by March 2017 that a serious security vulnerability existed in computer code that the company used in its systems but failed to patch or upgrade its software to eliminate it.

As a result, hackers were able to access its databases and steal personal information, the lawsuit alleged.

“These allegations state a viable claim for violation of the data security regulations,” Salinger wrote.

Equifax declined to comment.

The lawsuit is one of several legal challenges facing Equifax related to the data breach. It also faces class action lawsuits and investigations by the U.S. Federal Trade Commission and various state attorneys general.

The lawsuit that Healey filed in September is the only one by a state attorney general to date. The lawsuit seeks penalties and restitution as well as an order requiring Equifax to disgorge any profits it obtained during the breach.

In a statement, Healey, a Democrat, said her office was prepared to make its case in court to protect state residents and prevent future breaches.

“Today’s order confirms that Equifax is not above the law and can be held accountable for violating the rights of Massachusetts consumers,” she said.

Equifax in March said it expects costs related to its massive data breach to surge by $275 million this year, suggesting the incident could turn out to be the most costly hack in corporate history.

Equifax in court papers says that it is continuing to cooperate with the Federal Bureau of Investigation and other law enforcement agencies to investigate the breach and identify the hackers behind it.